CODEWITHSUNDEEP
javaauthenticationglassfishauthorizationjsr196
deamon
deamon

Reputation: 92387

How to get roles with JSR 196 authentification in GlassFish?

I want to use a custom authentication module conforming to JSR 196 in GlassFish 3. The interface javax.security.auth.message.ServerAuth has the method:

AuthStatus validateRequest(
  MessageInfo messageInfo,
  javax.security.auth.Subject clientSubject,
  javax.security.auth.Subject serviceSubject
)

AuthStatus can be one of several constants like FAILURE or SUCCESS.

The question is: How can I get the roles from a "role datebase" with JSR 196?

Example: The server receives a request with a SSO token (CAS token for example), checks whether the token is valid, populates the remote user object with roles fetches from a database via JDBC or from REST service via http.

Is the role fetching in the scope of JSR 196? How could that be implemented?

Do I have to use JSR 196 together with JSR 115 to use custom authentication and a custom role source?

Upvotes: 2

Views: 2047

Answers (2)

Ralph
Ralph

Reputation: 4868

This is a code example from my JSR-196OpenID Implementation. The method set the roles stored in a String Array for the current CallerPrincipal:

private boolean setCallerPrincipal(String caller, Subject clientSubject) {
            boolean rvalue = true;
            boolean assignGroups = true;
            // create CallerPrincipalCallback
            CallerPrincipalCallback cPCB = new CallerPrincipalCallback(
                            clientSubject, caller);
            if (cPCB.getName() == null && cPCB.getPrincipal() == null) {
                    assignGroups = false;
            }
            try {
                    handler.handle((assignGroups ? new Callback[] {
                                    cPCB,
                                    new GroupPrincipalCallback(cPCB.getSubject(),
                                                    assignedGroups) } : new Callback[] { cPCB }));
                    logInfo(DEBUG_JMAC, "jmac.caller_principal:" + cPCB.getName() + " "
                                    + cPCB.getPrincipal());
            } catch (Exception e) {
                    // should not happen
                    logger.log(Level.WARNING, "jmac.failed_to_set_caller", e);
                    rvalue = false;
            }
            return rvalue;
    }

I call this method during the validateRequest() method. You can see the complete code here: http://code.google.com/p/openid4java-jsr196/source/browse/trunk/src/main/java/org/imixs/openid/openid4java/OpenID4JavaAuthModule.java

Also this page will be helpfull : http://code.google.com/p/openid4java-jsr196/

Upvotes: 1

albogdano
albogdano

Reputation: 2840

Here's how I map users to roles:

I have 3 roles in my web.xml and also I have 3 role-to-group mappings in my sun-web.xml which map those roles several groups. Then I have a database with table Users that has a column called "group". That group corresponds to the group that is mapped to a role. I also use JSR 196-based custom auth module with OpenID. So basically whenever a user is logged in their group is read from the db and then my app assigns them the corresponding role. This is all done using the standard declarative security model of J2EE.

For my custom auth module I use a library called AuthenticRoast which makes things quite a bit simpler.

Here's also a related post...

Hope this helps.

Upvotes: 0

Related Questions